MD5 (youPecks) = a3f5054fa43902333ac67dea4c0e7403
Ok let’s start the sample first:
Well, 2 +2 = 4, that’s right. Let’s have a look on the Imports:
That’s not very much. Maybe it’s packed!? Let’s check it with ExeinfoPe:
Seems to be packed with UPX. This should be easy to unpack. Let’s try it with UPX itself:
Let’s start it again:
Hm, it does not even start so will also have no chance to debug in Olly because it will crash before I can step through the code. Something must went wrong with the unpacking. We’ll try to unpack it manually. We’ll use a WinXP VM since Win7 and Win8 does not work for some reason. There are a lot of really good tutorials how to unpack UPX manually so i’ll skip all the details here.
Olly will wait on the EP B440:
Step over the PUSHAD instruction and “Follow Dump” the ESP register:
Memory Breakpoint “On Access” at 12FFA4:
Let’s run the binary. It will stop at the Memory Breakpoint you set. Scroll down a little bit and you will identify a far jump (0x40b61A) and a lot of crap code below.
Set a breakpoint at the jump:
Run until the JMP and step over it. You will land at the OEP of this binary (0x403A8A):
Dump the process with OllyDump:
Press dump and save the file. Don’t quit Olly because we’ll need to fix the imports first. Start Import REConstructor and fix the IAT:
Type in the OEP which is 3A8A (see the screen above) and press IAT AutoSearch:
As Import ReConstructor tells us, we press Get Imports and finally “Fix Dump” to save the file.
Now we’re trying to start the unpacked sample again:
The last breakpoint is the one where the magic happens but just see youself:
Did I already mention that writing blog posts is a shitload of work?